a513155803
a513155803
2019-03-14 16:19

C++如何使用EVENTLOGRECORD读取Windows系统日志解析后的详细信息

40
  • c++

图片说明

我需要读到图片上的详细内容

图片说明

现在能读到的就是这些详细内容,没用啊

也没想多麻烦,就是那个事件描述搞得我难受的要死

int main()
{
    HANDLE Log;
    EVENTLOGRECORD *ptr;
    TCHAR Buffer[BUFFER_SIZE] = { 0 };
    DWORD dwRead, dwNeeded;
    string Type, Source, UserID, User, msg;
    char *pchar, Data[4096];
    int Time, ID;

    if ((Log = OpenEventLog(NULL, "Security")) == NULL)
    {
        printf("OpenEventLog For Security Errr:%d \n", GetLastError());
        system("pause");
        return 0;
    }

    while (ReadEventLog(Log,
        EVENTLOG_FORWARDS_READ |
        EVENTLOG_SEQUENTIAL_READ,
        0,
        (EVENTLOGRECORD*)Data,
        sizeof(Data),
        &dwRead,
        &dwNeeded))
    {

        for (short i = 0; i < dwRead;)
        {
            EVENTLOGRECORD *ptr = (EVENTLOGRECORD*)(Data + i);

            //事件类型
            switch (ptr->EventType)
            {
            case EVENTLOG_ERROR_TYPE: Type = "错误事件"; break;
            case EVENTLOG_AUDIT_FAILURE: Type = "审核失败"; break;
            case EVENTLOG_AUDIT_SUCCESS: Type = "审核成功"; break;
            case EVENTLOG_INFORMATION_TYPE: Type = "信息事件"; break;
            case EVENTLOG_WARNING_TYPE: Type = "警告事件"; break;
            default:continue;
            }

            //日期和时间
            Time = ptr->TimeWritten;

            //源头
            Source = (TCHAR *)ptr + sizeof(EVENTLOGRECORD);

            //事件ID
            ID = (short)ptr->EventID;

            //计算机名
            pchar = (TCHAR *)ptr + sizeof(EVENTLOGRECORD);
            pchar += (strlen(pchar) + 1);
            UserID = pchar;

            //用户名  
            pchar += strlen(pchar) + 1;
            if (ptr->UserSidLength>0)
            {
                char Name[64];
                DWORD Length = sizeof(SID), Length1 = sizeof(Buffer);
                SID_NAME_USE Type = SidTypeUser;
                SID *sid = (SID *)(Data + ptr->UserSidOffset);
                if (LookupAccountSid(NULL, sid, Name, &Length, Buffer, &Length1, &Type))
                    User = Name;
            }

            //获取事件描述 
            if (ptr->DataOffset > ptr->StringOffset) 
            {
                pchar = Data + i + ptr->StringOffset;
                printf("%s ", pchar);

                for (short j = 0; j < ptr->NumStrings; j++)
                {
                    pchar += strlen(pchar) + 1;
                    printf("%s ", pchar);
                }
            }
            cout << "\n" << endl;
            i += ptr->Length;
        }
    }
    CloseEventLog(Log);
    system("pause");
    return 0;
}

图片说明

  • 点赞
  • 回答
  • 收藏
  • 复制链接分享

3条回答